Do Son 
A newly disclosed security flaw, tracked as CVE-2025-54370, has been identified in PhpSpreadsheet, a PHP-based library that enables developers to read and write popular spreadsheet formats including Excel and LibreOffice Calc. With over 250 million downloads, the library is deeply embedded in enterprise applications and open-source projects worldwide, which makes the discovery of this vulnerability a significant security concern.
The weakness lies within the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, specifically in the handling of the setPath method. When an attacker is able to feed malicious HTML input into PhpSpreadsheet’s HTML reader, the code can be manipulated to make unauthorized requests from the vulnerable server. For instance, if the library is used to parse an HTML document containing an image tag referencing a local service, the server could inadvertently issue requests to internal endpoints. This creates a classic Server-Side Request Forgery (SSRF) scenario, where attackers can exploit a trusted system to reach otherwise inaccessible services.
The security risk extends beyond SSRF alone. Researchers noted that additional behavior in the codebase, including unsafe usage of the file_exists method when interacting with Phar archives, could open the door to deserialization-based exploitation. When chained together, these weaknesses could potentially escalate from simple SSRF to more advanced attacks, including remote code execution in certain contexts.
The potential impact of such exploitation is severe. A malicious actor could leverage the flaw to extract sensitive data from cloud metadata services such as AWS or GCP, map internal infrastructure, or pivot into deeper parts of a network. The ability to abuse a common spreadsheet parsing library for lateral movement highlights how even non-obvious components of a software stack can become high-value targets for attackers.
The vulnerability was discovered by Aleksey Solovev of Positive Technologies, who demonstrated how easily the flaw could be triggered by crafting a malicious HTML document. His findings illustrate the ongoing risks posed by file-parsing libraries, which often serve as trusted intermediaries between unvalidated user input and critical server operations.
According to the official advisory, the flaw affects multiple versions of PhpSpreadsheet across different release lines, including versions prior to 1.30.0, versions between 2.0.0 and 2.1.11, between 2.2.0 and 2.3.x, between 3.0.0 and 3.9.x, and between 4.0.0 and 4.x. Fortunately, the maintainers have issued patches in updated releases, with fixes available in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0.
To mitigate the risk, organizations are urged to update immediately to the patched versions. In addition, developers should avoid passing untrusted HTML documents into PhpSpreadsheet’s HTML reader, and enterprises should restrict outbound server connections wherever possible to reduce the blast radius of any SSRF attempt. Since the vulnerability also intersects with potential unsafe deserialization, security teams should audit their environments for exposure to Phar-based payloads as well.
Related Posts:
- Beware of “How to Fix” Button: New Phishing Emails Trick Users into Executing Malicious Commands
- Beyond HTML: The Hidden Danger of Phishing in HTTP Response Headers
- Beware the Windows Search Scam: Clever Phishing Campaign Exploits User Trust
- Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
- Apache HTTP Server 2.4.64 Released: Patches 8 Vulnerabilities, Including HTTP Splitting, SSRF & DoS
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
